Companies looking to empower road warriors to access corporate data and applications wherever they are working have traditionally used a Remote Access Solution and opened access to their corporate network to anyone who had the credentials of an authorized user. It is this simplicity and exposure that inherently brings risk to a company’s intellectual property, and organisations have spent years trying to mitigate this risk in a multitude of ways, mostly by adding to the already large stack of security appliances at their gateway. This solution is both complex and costly.
Think for a moment how enterprises connect their staff to their company’s network today. No doubt your company has an exposed IP address or DNS name, such as “vpn.company.com” visible on the internet as well. This is where a remote client must connect to in order to get on with its job of providing access to applications or data within the network. But exposing an IP address, DNS or any other network infrastructure component to the internet means that anyone can see that Gateway on the www. This is, unfortunately, the way the internet is built which does not allow to selectively decide who you want to expose your enterprise Gateway information to. Unfortunately, even the bad guys looking to monetise their hacking activities can exploit this visibility by trying to connect to the Gateway. Based on the publicly available information they are in a position to figure out the most effective way to attack an enterprise based on known vulnerabilities. That means, that as long as an IT department wants to enable remote access for staff, a company has to balance the risk in order to empower users.
As companies expand and additional requirements are pushed onto this exposed infrastructure, for example by 3rd parties requiring remote access, the risk grows further. An addition access path such as “partner.vpn.company.com” is added. Then developers need an additional portal to manage and access a bug system and therefore “dev.company.com” is created with its own authentication solution. The workload increases for the IT department as they are forced to chase and control the risks going along with the new requirements. Before long there is an ecosystem of exposed access solutions going along with DNS and IP addresses, but as well the danger of policy configurations with mistakes made by staff and the burden of manageability.
This ecosystem goes along with the dangers of poorly managed DNS and IP space, as it not only means that a company’s assets are advertised to employees but also to the entire wild-wild-west in the Internet and inviting hackers to have a closer look at the infrastructure components in place in your organisations network. They are able to read your set-up information like: “this company runs a X-type VPN solution, Y-type Remote Portal or a Z-type security solution (normally even with what version is available). Based on this insight they can make an informed decision about the best way to start an attack.
Why is it that in 2018 we are still thinking in terms of 2001?
At the millennium companies had no other choice to enable connectivity to the whole internet. So the consequence was to try to protect the corporate assets with a stack of hardware like firewalls, intrusion detection systems, load balancers, and the like. In the age of digital transformation, however, companies have the choice to leverage the power of the cloud.
Turning off network visibility, and cutting off the exposure as well, is one way to remediate the risk that comes with providing a gateway to the Internet. The answer is to use a reverse tunnel protected with TLS encryption that has its origin at the application level.
The TLS reverse tunnel provides access to the required applications by routing access only to an authenticated user and the applications they are allowed to access by dedicated policies. These applications then have their data sent over the per-session-generated TLS tunnel “back” to the user and thus minimising the risk to any company. The difference is that once the solution is installed, nobody will be able to access an application directly through the internet. A reverse tunnel is providing the connection outbound and therefore empowering access by removing the exposure from the Internet.